Thanks, Justin. I guess what I'm looking for is just to be reasonably secure. I
understand that, strictly speaking, reasonably secure will mean different
things to different people, so I'm just talking in broad terms.
For instance, I understand that my SMTP server shouldn't be an open relay and
so it's set to only send mail for authenticated clients and SMTP logins are
sent over TLS instead of clear text, I understand that TELNET communication is
unencrypted and SSH is strongly recommended instead and SSHv2 is recommended
over SSHv1.
So I'm just looking for similar best practice recommendations for Vyatta as
an edge router.
So, NAT rules will cause all traffic for defined ports to be forwarded and then
I make sure that services listening on those ports on my internal machines are
patched against application level vulnerabilities. Is NAT for incoming traffic
good enough or should one use some firewall rules in addition? If so, what
rules? Rules to limit traffic to protocols appropriate for services listening
on those ports (e.g. only allow SSH traffic on port 22) and rules to allow/deny
based on the state of the packet.
Traffic that doesn't get forwarded via NAT rules is considered local to the
router, right? So if I only want SSH from outside to the router, I define a
firewall rule to allow SSH and an implicit deny all else takes place?
thanks again, -Alain.
On Tue, 1 Jan 2008 20:18:20 -0800, Justin Fletcher [EMAIL PROTECTED] wrote:
Depends on what you're looking for (of course :-) )
Since you're under NAT, nothing can find your system that you don't
have set up for forwarding. You could set up firewall rules for the
public
address of your router, as it's wide-open otherwise, of course.
A happy 2008 to you,
Justin
On Jan 1, 2008 6:40 PM, Alain Kelder [EMAIL PROTECTED] wrote:
Hello,
At my home office, I have 1 public IP and I'm forwarding certain outside
port requests to the various machines inside using NAT. I'm allowing all
inside-out traffic. Given that I'm happy with this setup from the
functionality perspective, should I still add firewall rules to define
my current setup (e.g. to allow all inside-out traffic and to allow
http, smtp, etc to the various machines for outside-in traffic)? Am I
missing out on important security features the firewall would offer
which NAT doesn't?
Currently I just have the following firewall statements:
firewall {
log-martians: enable
send-redirects: disable
receive-redirects: disable
ip-src-route: disable
broadcast-ping: disable
syn-cookies: enable
}
[EMAIL PROTECTED] show version
Baseline Version: vc3
Booted From: disk
Happy New Year to all! Cheers, -Alain.
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
